Data theft and online sabotage will cost the German economy around €223 billion throughout 2020 and 2021, according to a current Bitkom study. The figure has thus more than doubled in comparison with damages of €103 billion during the 2018/2019 survey period. The primary cause of this rise is the dramatic increase in ransomware attacks, whereby the encryption of company data leads to production shutdowns and necessitates a time-consuming reset of the compromised systems. In light of this threat, companies need a solid IT infrastructure in order to keep pace with cybercriminals’ increasingly sophisticated attack strategies. But, when it comes to planning and carrying out the necessary measures, many IT security managers could be doing more.
As a specialist in secure logins, Nevis names the most common mistakes and provides tips for the best ways to implement improvements.
1. Making false assumptions
‘Hackers won’t be interested in our company!’ A fatal false assumption, as a look at recent cyberattacks shows: there are no industries or companies of any particular size that are immune from being targeted by hackers. A widespread phishing attack can be rolled out to recipients in international corporations as well as to employees in small and medium-sized enterprises. The time and effort involved is relatively low for online criminals, and an attempt is even worthwhile if only one employee in two or three companies makes a careless click, thus giving the perpetrators access to the company network.
2. Failing to develop a security strategy
Many companies set up isolated protections, such as firewalls or spam filters, but lack a comprehensive security strategy that includes organisational measures alongside technical solutions. Essentially, IT managers should conduct an inventory analysis to determine exactly which assets – i.e. data, documents or access rights – need to be protected. This process also includes deciding how strong the ‘walls’ around each individual asset need to be. Safeguarding innovative manufacturing processes, for example, is a higher priority than protecting contact data. Another essential component: threat modelling, which analyses the threat potential for individual systems and applications as well as potential attack vectors. Building on the foundation described above, companies can then nail down the specific measures – such as investments in security or identity management – that they need.
3. Not keeping operating systems and other software up-to-date
For the security of company IT systems, it is essential to carry out important updates and upgrades promptly. However, since this involves effort and sometimes also costs, there are still some companies that do not always do it. And that’s a mistake that can be expensive in the event of an attack. Why? Just like hardware, operating systems, software applications and server solutions also become outdated over time. In order to ensure that they maintain their customary performance and meet current security standards, they need to be patched and updated regularly. Companies should refrain entirely from using operating systems and applications that are no longer supported by the manufacturers, since these will lack regular security updates, thus strongly increasing the risk of successful attacks.
4. Skipping multi-factor authentication
Many users still use passwords that are easy to crack or make the mistake of using one password for several accounts. But with methods such as brute force and credential stuffing, criminals can easily find out user name/password combinations and thus penetrate the company network. No matter whether it’s a customer or an employee login, two-factor or even multi-factor authentication will improve the security of all accounts. With multi-factor authentication (MFA), however, not just a password but at least one more factor – like a numerical code sent by text message or generated via an authenticator app – is required for identity verification at login. Since hackers usually will not have access to that, an identity management that includes MFA thwarts the attack from the outset.
5. Underestimating the human risk factor
The growing threat risk is known, so many institutions are already taking technical measures. What is often underestimated, however, is the human factor. While the methods that cybercriminals deploy are ever more sophisticated, they still rely on people making mistakes. In the chain of all the cybersecurity measures that a company can possibly take, the weakest link is always the human being. Senders of phishing emails, for example, always reckon that recipients will click on the malicious links they contain without thinking because the message looks important. That’s why it is vital for companies to educate their employees about the cyber threats they may encounter in their daily work. Ongoing courses and security training, for example, are suitable tools to achieve that goal.
As this list shows, a well-planned approach helps to lay the foundation for an optimum security strategy. This includes awareness of the fact that there are no ‘uninteresting’ targets for cybercriminals. Large-scale attacks are widespread and can hit companies of all sizes and in all industries. When it comes to the practical implementation of security measures, the most basic efforts – like regularly installing software patches – are the best way to guarantee a minimum level of security. In order to further improve their security standard, companies should include additional measures such as mandatory multi-factor authentication in their identity-management framework. Last but not least, employees need continuous training to keep them aware of the heightened threat situation. Only when every member of the organisation is clear about their shared responsibility for IT security and acts accordingly will the human risk factor become the human security factor.